Add the ability to controll password-peppering for Synapse

Closes Github issue #5

CHANGELOG.md

@@ -1,6 +1,11 @@
 # 2018-09-07
 
-## Statistics-reporting support
+## Password-peppering support for Matrix Synapse
+
+The playbook now supports enabling password-peppering for increased security in Matrix Synapse via the `matrix_synapse_password_config_pepper` playbook variable. Using a password pepper is disabled by default (just like it used to be before this playbook variable got introduced) and is not to be enabled/disabled after initial setup, as that would invalidate all existing passwords.
+
+
+## Statistics-reporting support for Matrix Synapse
 
 There's now a new `matrix_synapse_report_stats` playbook variable, which controls the `report_stats` configuration option for Matrix Synapse. It defaults to `false`, so no change is required to retain your privacy.
 

roles/matrix-server/defaults/main.yml

@@ -68,6 +68,9 @@ matrix_synapse_rc_message_burst_count: 10.0
 # (things like number of users, number of messages sent, uptime, load, etc.)
 matrix_synapse_report_stats: false
 
+# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup.
+matrix_synapse_password_config_pepper: ""
+
 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically based on Synapse extensions that have been enabled.
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}

roles/matrix-server/templates/synapse/homeserver.yaml.j2

@@ -538,7 +538,7 @@ password_config:
    enabled: true
    # Uncomment and change to a secret random string for extra security.
    # DO NOT CHANGE THIS AFTER INITIAL SETUP!
-   #pepper: ""
+   pepper: "{{ matrix_synapse_password_config_pepper }}"